AWS Security Hub のアイコン

AWS Security Hub Popular2018年〜

Centrally manage your AWS security posture and automatically check compliance with best practices

About 2 min read

What It Does

AWS Security Hub aggregates findings from security services like GuardDuty, Inspector, Macie, and Firewall Manager into a single view, providing visibility into the security posture of your entire AWS environment. It runs automated checks against security standards such as CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices.

Use Cases

Centralized security monitoring across multi-account environments, automated compliance checks, prioritizing and triaging security findings, and streamlining security operations through SIEM integration.

Everyday Analogy

Think of a building's central security office. Alerts from cameras and sensors (security services) on each floor (AWS service) are consolidated on a single screen to monitor the entire building's security. Regular patrols (automated checks) also catch things like unlocked fire doors (misconfigurations).

What Is Security Hub?

AWS Security Hub serves as the "command center" for security. Once enabled, it automatically runs security checks based on AWS Config rules, detecting issues like public S3 buckets, unencrypted EBS volumes, and IAM users without MFA. Findings are categorized by severity (Critical, High, Medium, Low).

Security Standards and Integrations

Security Hub offers multiple security standards. AWS Foundational Security Best Practices covers AWS-specific best practices, while CIS AWS Foundations Benchmark provides industry-standard security criteria. Findings from GuardDuty, Inspector, Macie, and others are unified in ASFF (AWS Security Finding Format), and automated remediation actions can be triggered via EventBridge. For a structured approach to learning about security standards and integrations, reference books on Amazon are helpful.

Getting Started

In the Security Hub console, click "Enable Security Hub" and select the security standards to apply. AWS Config must be enabled as a prerequisite. Integration with Organizations allows bulk enablement across all accounts. A 30-day free trial is available.

Things to Watch Out For

  • Security Hub requires AWS Config to be enabled. Config recording charges apply separately
  • Pay-per-use based on the number of security checks and ingested findings
共有するXB!

Related Services

Amazon GuardDuty iconAmazon GuardDutyA machine learning-powered threat detection serviceAmazon Inspector iconAmazon InspectorA service that automatically scans EC2 instances, container images, and Lambda functions for vulnerabilitiesAWS Config iconAWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors complianceAWS Organizations iconAWS OrganizationsA service for centrally managing multiple AWS accounts

Related Articles

CloudTrail Sees Everything - How API Calls Are Recorded and Practical Forensic InvestigationThis article explains how CloudTrail records AWS API calls, the differences between management events and data events, SQL analysis with CloudTrail Lake, and forensic investigation techniques when a security incident occurs.Data Privacy Protection - Automated Sensitive Data Discovery and Threat Defense with Amazon Macie and GuardDutyLearn practical data privacy protection techniques combining Amazon Macie's automated sensitive data discovery in S3 with Amazon GuardDuty's threat intelligence. This article covers comprehensive security measures from identifying personal information to real-time threat detection.Investigating Security Incidents with Amazon Detective - Root Cause Identification Through Graph AnalysisLearn about investigating GuardDuty findings with Detective, entity profiles, and leveraging behavior graphs.Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Automated Vulnerability Scanning with Amazon Inspector - Continuous Security Assessment for EC2, Lambda, and ECRAutomatically scan EC2 instances, ECR container images, and Lambda functions for vulnerabilities and prioritize them with CVE-based risk scores. Learn how to achieve agentless scanning through Systems Manager integration.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

Security Posture Management - Building a Unified Security Monitoring Foundation with AWS Security HubLearn about unified security monitoring with AWS Security Hub and automated threat detection through GuardDuty integration. This guide covers visualizing compliance with security best practices and security governance for multi-account environments.AWS Security HubA service that provides centralized visibility into the security posture of your entire AWS environment, performing automated assessments against industry-standard security benchmarks and aggregating findings.Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.Vulnerability Assessment and Threat Detection - Continuous Security Monitoring with Amazon Inspector and GuardDutyLearn how to design and operate vulnerability assessment and threat detection using Amazon Inspector and Amazon GuardDuty.